FTC Reminds Consumer Health Apps of Its Health Breach Notification Rule

Baker Ober Health Law

Baker Ober Health Law

On September 15, 2021, recognizing the ever-increasing growth and use of mobile health apps as well as connected devices that capture individuals' health data, the Federal Trade Commission (FTC) issued a Policy Statement reminding organizations of the reach of its Health Breach Notification Rule (Rule).

In general, the Rule holds accountable those entities who are not otherwise covered by the Health Insurance Portability and Accountability Act (HIPAA) when their customers' unsecured health information is compromised.

Up to this point, the FTC has not typically enforced the Rule relative to mobile health apps. However, given the recent proliferation of digital health resources, such as those that track diseases, treatment, fitness, fertility, sleep, mental health, and diet, and their somewhat unrestrained collection and use of consumer data, the FTC took this most recent step to make clear that mobile health apps are generally considered to provide health care services or supplies as it relates to personal health records and, as such, are subject to the Rule. Pursuant to the Policy Statement, a personal heath record is an electronic record that can be drawn from multiple sources.

So, according to the FTC, if a mobile health app draws such consumer-sensitive health information from multiple sources – such as a through a combination of consumer inputs and application programming interfaces (APIs) – or even through a combination of both health and non-health sources (such as consumer input coupled with the data supplied by the consumer's phone), they are subject to the Rule. Consequently, any time that mobile health app discloses or shares health information without user authorization, the Rule's breach notification requirements are triggered.

In order to comply with this most recent guidance and to ensure alignment with the FTC's commitment to the protection of consumer data, developers offering mobile health apps and related digital health resources should integrate the FTC's recommended best practices for the protection of consumer data and the related laws governing those resources.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Ober Health Law | Attorney Advertising

Written by:

Baker Ober Health Law

Baker Ober Health Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.